:killcompu

My small home network is hidden behind an RT314 firewall. I'm getting a common message (every couple days) from the firewall, telling me that a particular IP address is trying to access the firewall's public IP address. I have the IP of the machine trying to get in; how do I find out who it belongs to and what do you suggest I do about it? I suppose I could call them, or...
:shootem:

I don't want to escalate a fight, but I'm afraid they're going to keep trying until they get through. I'm not sure how they even found it; I'm running in stealth mode on the address and all ports. I had it tested through the Gibson Research Corporation here:
https://grc.com/x/ne.dll?bh0bkyd2

I'm open to all suggestions, but keep in mind I don't have the time to constantly watch my back either...
Right now it's simply a security issue, and not yet a threat.


-Stride

Well, as long as your firewall is blocking the attempts, you're safe. What I would do is tracerouting the IP, and report it to it's ISP ( abuse@<isp> ) together with a copy of your logs. That should do the trick.

yep...like Guus said, just report it...abuse@whateverISP...those guys are never offline, and should take care of the problem very quickly...

As far as yourself, it sounds like you(personally) are safe...but think of the unsuspecting users that aren't...

If you are really interested in finding out who this violating user is, try NTX (http://www.neoworx.com/products/ntx/), although if said abuser is skilled enough, you won't find out anything useful.

Ouroboros

i would do it like guus.
but you can go a lto further than that. once you have the ip you can start ip-queries, lookin up on whois, x-whois and so on. trying to get the name of the person and contact it yourself should be pretty hard, cuz hte provider isn't allowed to tell you stuff like that. but if you somehow manage to do it, tell me, i would be interested in it. if you still want to do more, go to a public library and look into books like hacking exposed, or check out their website. there they tell you the kind of attack, and how to react. there are tons of stuff bout that shit out there, so you should be able to do some stuff. but whatever you do, don't try to kick 'em or chrash their computer. in that case you would be just as "bad" as they are. and it will jsut cause you more problems. but on the other side you defenitely shouldn't ignore 'em.
but maybe the whole thing is just some stupid advertsing shit trying to connect to you, from some stupid page you once visited and they can't get behind your firewall (runs pretty much over cookies). in that case its useless anyway, cuz they know what is legal and what not. (for further information on that cookie-advertising shit look in the last issue of 2600 "behind the scenes of a wab page", then will know what i'm talkin bout)
from what you said your small network seems pretty safe anyway, so you shouldn't think bout it too much, just check out who it is, and if it is a major company, forget bout it, that stuff happens all the time, if not, then you just call the provider and tell them to stop that idiot from messing round with you, that should be enough

NTX worked great, thanks. In the last 24 hours, I used quite a few tracer programs, and that one definitely provided the most information.

In order to answer the question well, I think I'm going to need a little more info. Most importantly, what port are they scanning you on?

For example, is it 1214? I constantly see people trying to connect to 1214 on my firewall. That's because every day, more and more people are trying out the kazaa filesharing software. And their machines are constantly searching for other kazaa machines to communicate with. It doesn't really qualify a scan, it just means that whoever coded kazaa made it very active in searching for computers to talk to.

Another example is port 113. A lot of times when you connect to an FTP server, the server is configured to connect back to your machine to try to figure out who you are. This is left over from the good old days of the internet when no one really paid attention to security and everyone trusted everyone.

These are just two examples... if you're not comfortable telling everyone what port you're being scanned on, you can always go to a place like www.snort.org and use their online port database tool to find out more about what they are scanning.

With a little more detail, I could give you a more definitive answer, but if it is indeed a scan, then the other answers you're already received are a great start at tracking your attacker.

Here is the message I'm receiving from the firewall:


03/21/2002 18:13:18.608 - Sub Seven Attack Dropped - Source:12.230.12.53, 2812, WAN - Destination: **.***.**.***, 1243, WAN - -


I traced it to the east coast, but the domain belongs to AT&T. It's possible that the person is using AT&T as an ISP, and running a cable modem with a router. On the other hand, maybe it's actually AT&T trying to see us (it's our ISP too). Here is the the trace info:


traceroute 12.230.12.53
3 198.172.117.161 2.975 ms DNS error [AS2914] Verio
4 129.250.29.132 2.821 ms ge-6-0-0.r02.lsanca01.us.bb.verio.net [AS2914] Verio
5 129.250.9.186 2.974 ms p4-0.att.lsanca01.us.bb.verio.net [AS2914] Verio
6 12.123.28.130 3.34 ms gbr3-p50.la2ca.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
7 12.122.2.69 16.157 ms gbr4-p20.sffca.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
8 12.122.2.198 28.670 ms gbr3-p30.st6wa.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
9 12.122.5.166 29.190 ms gbr2-p10.st6wa.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
10 12.123.44.117 28.801 ms gar2-p370.st6wa.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
11 12.244.72.9 30.569 ms DNS error [AS7018] AT&T WorldNet Service Backbone
12 12.244.64.2 30.275 ms DNS error [AS7018] AT&T WorldNet Service Backbone
13 12.244.64.42 32.52 ms DNS error [AS7018] AT&T WorldNet Service Backbone
14 12.244.80.227 33.440 ms DNS error [AS7018] AT&T WorldNet Service Backbone
15 12.230.12.53 56.467 ms 12-230-12-53.client.attbi.com [AS7018] AT&T WorldNet Service Backbone

sometimes with cable modems the provider sends out brodcast packets that the firewall may misinterprit..I've seen this before using a Sonic Wall and also with Microsoft ISA server. The logs on both the ISA box and the firewall showed that IP's were being spoofed. In reality they turned out to be Broadcast packets from the ISP..

Firewalls have a bad habit of reporting hacking attempts if your isp tends to send lots of broadcast messages. If some one is trying to hack your system traceroute is a good start, you can always use neotrace if you like fancy maps and buttons.

if you've scanned your system for trojans and didn't find any, i wouldn't worry about it. probably just a kiddie with a new scanner and a sub7 client looking for someone to play with.

the next time it happens, stop whatever you doing, scan his/her ports. That should let the lammer know your on to him and that he may be in danger of getting in trouble with the law. unless shes stupid enough to try breaking into boxs without having her oun machine protected.

If you have ADSL (or similar), your ISP will constantly try to "see" your router (through whatever methods they use - ie, broadcasts, pings, etc), to check if it is alive, so that if it appears not to be there, they can give your IP address to someone else (obviously, only if you don't have a fixed IP). Just a thought.
Although, Subseven listens on 1243, so it might be worth checking your clients for infection. Why would someone be trying to connect to 1243 on a client machine, unless it already had S7 installed?

From what i can see iagree with the points above it appears to be a script kiddie tryin to attack you and see wether you have sub7 server installed on your machine. If i was you i would run a virus/trojan scanner on you drive to see if you have got a trojan.

Hope this helps


Damien

http://www.arin.net/whois/arinwhois.html

go there and type the IP in....it should give you a phone number and contact info of the ip block.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by Guus
Well, as long as your firewall is blocking the attempts, you're safe. What I would do is tracerouting the IP, and report it to it's ISP ( abuse@<isp> ) together with a copy of your logs. That should do the trick.


had a problem with tracerouting.........could not find the abuse@ from this ip

168.95.192.1
thx

Here you go !!!


Chunghwa Telecom Co., Ltd. (NET-CHUNGTELECOM)
21, Hsin-Yi Road, Section 1
Taipei, Taiwan 100
R.O.C
TW

Netname: CHUNGTELECOM
Netblock: 168.95.0.0 - 168.95.255.255

Coordinator:
Wang, Nien-Tsu (NW17-ARIN) ntwang@MS1.HINET.NET
+886 2 3445858 ext. 3150 (FAX) 886-2-3955671

Domain System inverse mapping provided by:

HNTP1.HINET.NET 168.95.192.1
HNTP3.HINET.NET 168.95.192.2
DNS.HINET.NET 168.95.1.1

Record last updated on 09-Jun-1997.
Database last updated on 3-Apr-2002 19:59:39 EDT.

My small home network is hidden behind an RT314 firewall.

Do you have ICMP blocked? you have to configure ICMP on the router to
block incoming with a rule netgear excluded it in there last
rt314 firmware ( I had 4 netgear routers myself) the IP address
probing you likely belongs to a victim who was hacked and not
the attackers so reporting to abuse is a complete waste of your
time no Cracker will use there real Ip because he/she knows they will
get caught and traced right away unless the Intruder is a lamer
script kiddie who doesn't know better :) You can install my
netwatchman to automaticly forward probe and attack
reports from your router to the proper people www.mynetwatchman.com
another suggestion: when your not home or away you can disconnect
your pc from the Internet really reduces the risk.

Thx wayneh and chawleyx87d[i will try abuse maybe??it will help]otherwise no harm done by that ip adress.


thx guy s

No probs m8 !!!